december 2013 information vol. 15 | no. 10...

DECEMBER 2013 VOL. 15 | NO. 10I N F O R M A T I O N

SECURITY

THE RISKY BUSINESS OF PROBABILITY

ENTERPRISE SECURITY BY THE NUMBERS

EDITOR’S DESK: CONGRATULATING THE 2013 SECURITY 7 AWARD WINNERS

ENHANCED THREAT DETECTION

Inside we reveal the top security professionals of the year.

The Best. The Brightest.The Security 7

2 INFORMATION SECURITY n DECEMBER 2013

EDITOR’S DESK

SECURITY 7 AWARD WINNERS




become insider threats. While the National Security Agency may be grabbing headlines that finally make peo-ple at large take a closer look at security, data privacy and surveillance, information security professionals have faced security challenges head on for decades, without much recognition of their vital roles.

Who knows how hard this job really is? Your peers. Each year, we ask our readers to nominate the top infor-mation security professionals across major industries, government and non-profits. In 2013, we are honoring innovative information security professionals in seven sectors with universal and unique information security challenges: education, health care, financial services, gov-ernment, manufacturing, retail and telecommunications.

This is the ninth year we’ve handed out the Security 7 awards to outstanding representatives of the information

Congratulating the 2013 Security 7 Award WinnersWe honor leading information security professionals in seven vertical industries and applaud their achievements in our annual awards issue. BY KATHLEEN RICHARDS

EDITOR’S DESK

LANDING AT THE top of the information secu-rity field takes diligence, guts and a lot of hard work. In fact, many people don’t no-tice information security—including top executives—until something goes horri-

bly wrong. What happens next? Many chief information security officers are shown the exits by their employers; 75% of CISOs lose their jobs when a publically disclosed breach occurs without documented test plans, according to Gartner Inc. research.

Everyone in the information security field knows how hard it is to stay ahead of a rapidly evolving threat land-scape. Not to mention, emerging technologies, perime-ter-less networking environments populated by a growing range of Internet devices—including bring your own de-vices—and employees who unwittingly (or stealthily)

http://www.gartner.com/DisplayDocument?id=2086516&ref=clientFriendlyUrl

http://www.gartner.com/DisplayDocument?id=2086516&ref=clientFriendlyUrl


EDITOR’S DESK





issues, emerging technologies and hot-button security topics. As in years past, we’ve asked this year’s winners to write short essays about issues that they care deeply about. Read on to find out what’s happening with bring your own device in public schools, wireless connectivity and medical devices, security and the Internet of Things, security information and event management in the cloud, intelligence-driven security in financial services, back-to-basics security advice, behavioral data analysis and insider threats.

Our impressive group of winners is a diverse bunch with a few surprises—one skates on a roller derby team; another owns every The Amazing Spider-Man comic book published since the franchise started in 1962. At the same time, we noticed some commonalities. When asked if they personally favored Apple or Android, all seven said Apple. What keeps them up at night? Some noted secu-rity worries, but most said their kids.

We thank our honorees for their notable contributions to the information security community and for earning the recognition of their peers—and our editorial team. Congratulations to this year’s Security 7 award winners! n

KATHLEEN RICHARDS is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath. Send comments on this column to [email protected].

EDITOR’S DESK

security field. Other game-changers and luminaries that we’ve honored over the years include Bill Boni, Dorothy Denning, Dave Dittrich, Melissa Hathaway, Christopher Hoff, Ron Knode, Gene Spafford and Mark Weatherford.

As 2013 draws to a close, we’re pleased to announce the Security 7 winners who will join them on our honor roll:

Ali Youssef, senior solutions architect, Henry Ford Health Systems; Jason Witty, senior vice president and chief information security officer at U.S. Bancorp;George Do, director, Global Information Security, Equinix; Timothy Rogers, senior global manager, IT security, United Technology Corp.;Philip Scrivano, chief technology officer of the Las Virgenes Unified School District; Angela Orebaugh, Fellow, Booz Allen Hamilton; andNick Duda, principal information security engineer, Vistaprint.

The Security 7 winners didn’t reach the pinnacle of their profession by sitting on the sidelines. In addition to innovation and outstanding achievements, they are ac-tive thought leaders who have a lot to say about industry

https://twitter.com/RichardsKath

mailto:[email protected]

http://searchsecurity.techtarget.com/feature/Security-Warrior-for-Cloud-Transparency

EDITOR’S DESK





SECURITY 7 AWARDS

ALI YOUSSEF Wi-Fi Connectivity Puts Pressure on Healthcare SecurityJASON WITTY Banking on Good IntelligenceGEORGE DO A Full Service Model for SIEMTIMOTHY ROGERS Secrets of Outliers: Privileged Users and Patterns of DeceptionPHILIP SCRIVANO From ABCs to BYODANGELA OREBAUGH Secure all the ThingsNICK DUDA Get Back to Basics for Improved Network Security

The Best. The Brightest.The Security 74 INFORMATION SECURITY n DECEMBER 2013


EDITOR’S DESK





SECURITY 7 | HEALTH CARE

HE CONVENIENCE AND workflow improvements attained from using wireless medical devices come at a steep price. These types of devices are especially susceptible to being hacked or infected with malware. At Black Hat 2011, secu-rity consultant Jay Radcliffe wirelessly manipulated the functionality of an in-sulin pump, sending shockwaves through the industry.

Other demonstrations soon followed, raising alarms about wireless medical devices that can be hacked and put patient lives at risk. The Showtime series Homeland brought widespread at-tention to this issue by depicting the assassination of the vice president of the United States via hacking and manipulation of his pacemaker.

The possibilities are real. Malicious threats are as relevant to wireless medical devices as they are to any other networked IP device. Medical device misconfiguration puts other devices on the hospital’s network at risk. These risks need to be understood, documented and managed. This issue has enough attention that the Wi-Fi Alliance, the FDA and the Association for the Advancement of Medical Instrumentation recently released best practices for managing wire-less medical devices; they are drafting guidance on managing cybersecurity in medical devices.

At Henry Ford Health System (HFHS), our RF footprint has grown from a handful of

Wi-Fi Connectivity Puts Pressure on Health Care SecurityHealth system’s certification program mitigates the risks associated with wireless medical devices. BY ALI YOUSSEF

ALI YOUSSEF Senior Solutions Architect, Henry Ford Health System

n Biomedical engineer who served as one of the lead architects for the Henry Ford Health System’s wireless LAN.

n A pioneer in larger scale health care wire-less networks, he cre-ated a medical device certification and on-boarding process for equipment evaluation.

n More than 13 years of experience with medi-cal device design, net-work architecture and project management.

n Member of the mHIMSS Advisory Council and the AAMI Wireless Strategy Task Force. Look for his book, Wi-Fi Enabled Healthcare in 2014.

T

http://www.bloomberg.com/news/2013-07-22/medical-device-hackers-find-government-ally-to-pressure-industry.html

http://www.sho.com/sho/homeland/home

http://searchsecurity.techtarget.com/feature/A-list-of-wireless-network-attacks

http://www.wi-fi.org/

http://www.aami.org/

http://www.aami.org/

http://www.henryford.com/


EDITOR’S DESK






wireless access points in 2005 to around 8 million square feet of ubiquitous coverage in 2013. With wall-to-wall Wi-Fi available throughout HFHS, the demand for Wi-Fi- capable medical devices is rising steadily.

Major interoperability and security issues first came to light with the initial wave of medical devices on the network. An EKG device that relied on having a static IP address did not comply with IEEE 802.11i. We also spent about a year troubleshooting the wireless stability of a mobile X-ray system and working with the vendor to re-design the device. To proactively deal with these types of issues and to gain better insight about new wireless medi-cal devices, it became clear that a comprehensive strategy combining process and technology was needed.

The current industry consensus is that the best prac-tice for wireless medical device authentication and en-cryption is using 802.1 xs with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Ad-vanced Encryption Standard encryption. This enforces mutual authentication and requires each medical device

to have an x.509 certificate installed before it is allowed on to the wireless network.

Due to the wide spectrum of devices’ wireless capa-bilities, it’s often necessary to use a phased approach to manage wireless medical devices and promote ongoing authentication and encryption best practices. The HIPAA advisory and the Wi-Fi Alliance have acknowledged that 802.11 security features such as Wired Equivalent Privacy and shared key authentication are not secure enough. In an effort to promote continuous improvement, HFHS IT and Clinical Engineering have implemented the following phases:

n Phase 1: All medical devices that support a certain au-thentication and encryption standard are configured to use a dedicated service set identifier (SSID), keeping the number of SSIDs as low as possible.

n Phase 2: Network policies are applied to limit medical device network access to required IP addresses.

OUTSIDE OF WORK

Apple or Android? ApplePlan B: Veterinarian or cardiologistSecurity hero? Bruce SchneierThings people don’t know about you: I love to run, and I went to high school on the island of Cyprus.Six degrees of separation: Theo Brunner (Team USA volleyball) is my brother-in-law. Hannah Simone, who plays Cece Parekh on the New Girl sitcom, was like a little sister to me while in Cyprus. n

http://searchsecurity.techtarget.com/definition/Wired-Equivalent-Privacy


EDITOR’S DESK






security as well as clinical workflow testing. Any secu-rity concerns are identified through a thorough risk as-sessment in line with the recommendations in the IEC 800001 documentation.

As a result of launching and growing the program, we continue to have great traction and a much better grasp of our existing and potential wireless medical devices. We also have a better sense of their security and impact on our wireless environment. In addition we have developed a fantastic collaborative relationship with our clinical en-gineering, supply chain, service level management and security teams. n

n Phase 3: Medical devices that do not support Wireless Protected Access 2 EAP-TLS are continuously refreshed resulting in one SSID using EAP-TLS.

In addition to these three phases, it’s critical to de-velop a centralized device inventory, and to adopt a stan-dard certification and onboarding process in order to get a good handle on the wireless medical device space in the hospital. The certification process entails engaging all the technical and clinical stakeholders to discuss and support expectations prior to ordering the device and introducing it to the hospital network. The testing entails functional

http://www.iso.org/iso/catalogue_detail.htm?csnumber=44863

http://www.iso.org/iso/catalogue_detail.htm?csnumber=44863


EDITOR’S DESK





SECURITY 7 | FINANCIAL SERVICES

Banking on Good IntelligenceRapid change requires a disciplined, collaborative approach to information security. BY JASON WITTY

THE YEAR, 2013, has proven to be yet another record-breaker for information se-curity teams—more data, sophisticated hacks, new adversaries and greater motivation for attack. We’ve also hit an inflection point: I’m now officially fielding information security questions from my family, almost as often as I am from my boss. Information security has become a mainstream topic.

We already manage the information security risks of an explosively innovative world, with 7.1 billion people and more than 6 billion mobile phones. We’re responsible for evalu-ating a world in which Facebook has grown so fast, that one in seven people (about 1.15 bil-lion) now share information socially. We’ve accepted that computers don’t stay secure over time, and we put in systems and processes to patch them on a continual basis. And we’re all working on the ramifications, risks, and rewards associated with cloud computing and the bring your own device phenomenon. These things alone are enough to keep any competent CISO busy in the extreme.

Unfortunately, they are not the only dynamics at play. In 2013 we’ve now witnessed somewhat of an “awakening” on the Internet. Historically, information security professionals have had a lot of practice at dealing with threat actors whose motivation is theft. Whether it’s

JASON WITTYSenior Vice President and Chief Information Security Officer at U.S. Bancorp

n Within his first 90 days as CISO at U.S. Ban-corp, Witty worked with executives to develop a three-year roadmap based on an intelligence-driven security strategy, and broadly communicated that vision to more than 6,000 managers. His success resulted in large increases in operating budgets and project funding.

n At Bank of America, Witty lead a global information security team spanning eight countries. He was also accountable for all infosec controls for Bank of America Merrill Lynch, in 48 countries outside of the U.S.

T

http://www.un.org/millenniumgoals/pdf/report-2013/mdg-report-2013-english.pdf

http://investor.fb.com/releasedetail.cfm?ReleaseID=761090

http://investor.fb.com/releasedetail.cfm?ReleaseID=761090

http://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforce


EDITOR’S DESK





SECURITY 7 | FINANCIAL SERVICES

We build feeds, processes, and relationships to track changes in all six intelligence areas, and use that to drive continual re-evaluation of our priorities, and the velocity with which we deploy solutions and controls.

All of these dynamics at play also offer CISOs a fantas-tic opportunity to get what we’ve always wanted—a seat at the senior executive table. We must seize that opportu-nity, realize the implications of what it means and adapt our vernacular to be able to communicate adequately, and eloquently, with business leaders. How do you speak Klingon with your team all day and then switch to Eng-lish, when your CEO or board asks you a question? It’s easier said than done.

We have to be clear, concise and action-oriented. Consider for a moment, why do you have a job? To man-age risk? If you have a breach or large scale information security issue, it’s highly likely corporate revenue will suffer. So your job is really revenue protection. Putting risks in terms business leaders can understand will not only benefit your career, it will help you get the support you need to develop solutions to keep pace with our ever-changing world. n

intellectual property or data, we’re fairly good at dealing with theft as a profession. But in 2013, we saw large scale attacks in which the motivation was simply disruption or even destruction. This is a game-changing develop-ment every information security professional must pon-der. How do you handle a nation-state adversary whose sole goal is to knock your computers offline, or even wipe them all clean, in order to make a point to your country’s leaders? What sort of government help exists? What sort should exist?

Keeping up with this velocity of change is extremely difficult. It requires a collaborative approach to informa-tion security that is disciplined and intelligence-based. We have defined six areas of intelligence we watch daily:

n Customers are increasingly online and mobile and demand we are careful stewards of their data and transactions

n Shareholders require we protect revenue and enable growth

n Business lines require agility and fast time to market to meet business objectives

n Employees strive for excellence and are changing how and where they work

n Regulators demand we provide evidence of a strong information security program

n Cyberthreats require us to have mature prevention, detection and recovery controls

OUTSIDE OF WORK

Apple or Android? ApplePlan B: Hapkido instructorSecurity hero? Gary McGrawHow you unwind: MeditationWhat keeps you up at night? My kids!n

http://searchsecurity.techtarget.com/magazineContent/Cybersecurity-information-sharing-initiatives-on-the-rise


EDITOR’S DESK





SECURITY 7 | TELECOMMUNICATIONS

A Full Service Model for SIEMThe industry needs to recognize the value that full service “SIEM in the cloud” would bring to organizations. BY GEORGE DO

RGANIZATIONS CONTINUE TO struggle with a rise in security incidents, and CISOs and their IT teams often lack the resources to meet the challenge. Like most information security programs, we are being asked—and, in many cases, forced—to do more with less.

Enter a concept that hasn’t been a focus in the industry until re-cently: Developing a security information and event management (SIEM) system, which ad-dresses not only the high costs of setup and ownership, but the most important use cases.

SIEM promises to improve the security incident response lifecycle by collecting and ana-lyzing data from a myriad of sources (network and security devices, security programs and servers). SIEM technologies provide log management, event monitoring, alerting and com-pliance reporting through complex infrastructure involving hardware, software, custom processes and analytics. Given the push towards the cloud, there’s a unique opportunity to deliver SIEM in a way that adds far greater value to users.

What is the goal of a SIEM? That depends on the organization, but the common use cases are to detect, validate, and adequately respond to system compromises, data leakage events, malware outbreaks, investigations into a particular user, and service outages. At least that’s

GEORGE DODirector, Global Information Security, Equinix

n Developed the Global Information Security Program at Equinix, integrating legacy security systems and the latest information security technologies.

n Evaluated SIEM technologies and managed SOC services to architect a full-blown SIEM in the cloud, and cloud Web proxy service to protect systems from malware, as well as to enable enforcement of acceptable use policies.

n Credentials and affiliations: CISSP, GIAC Certified Forensics Analyst, GIAC Certified Incident Handler, ITIL Foundation Certified, SANS Institute member

O

http://searchsecurity.techtarget.com/definition/security-information-and-event-management-SIEM

http://searchsecurity.techtarget.com/feature/SIEM-analytics-Process-matters-more-than-products

http://searchsecurity.techtarget.com/feature/SIEM-analytics-Process-matters-more-than-products


EDITOR’S DESK






what it is for my organization. Simplistic as it may sound, I expect that this would be the answer from most other organizations, too.

Much has been researched, written, and deployed in practice regarding SIEM. However, the industry still fails to recognize the valid need for cloud-based SIEM ser-vices. A full service SIEM would not only leverage the commonly accepted benefits of the cloud, it would ad-dress the complete incident response lifecycle. After all, a SIEM’s output is basically a correlated event that re-sponders use to investigate incidents. When and how the event is used is the key to adding greater value to any SIEM investment.

Consider a subscription-based SIEM service that is straightforward to deploy and goes beyond just spitting out events by taking it several steps further. The complex-ity of log and event management (collection, storage and analysis) is significantly reduced, because users no lon-ger have to invest heavily in these security activities in terms of human or monetary capital. Because all of these

complex infrastructures live in the cloud, the model can be as simple as forward all your logs/events to the cloud, execute a basic security baseline exercise during setup, and agree to a service-level agreement (SLA) for event alerting. In addition, the service would offer 24/7 security operations center (SOC) coverage, in which frontline re-sponders analyze each SIEM event and escalate it to users only if necessary based on SLAs.

The value proposition for such a service is vastly more attractive compared with traditional on-premises SIEM systems. The goal of SIEM in the cloud is to have 100% in the cloud with nothing on-premises.

As with most solutions that marry complex technol-ogy and processes, the devil is in the details. SIEM sys-tems store and process highly sensitive data (security logs and events) for an organization and may even contain personal data.

SIEM-in-the-cloud users are required to have an ex-tremely high level of trust with the SIEM provider. The following key security challenges need to be addressed:

OUTSIDE OF WORK

Apple or Android? ApplePlan B: Become a tour guide in Bora Bora.Security hero? Richard A. Clarke, former national coordinator for security, infrastructure protection and counter-terrorismThings people don’t know about you: I’m a political junkie. I love Legos and ‘80s music.Six degrees of separation: Salvadore Rositano, an engineering college professor, who spent 50 years at NASA.What keeps you up at night? Our struggle to leave the earth better than we found it. n

http://www.nasa.gov/centers/ames/cct/about/bios/cct_srositano_prt.htm


EDITOR’S DESK






really crafted an offering for a full service SIEM in the cloud that includes a SOC with human eyes to proactively monitor events. Managed security service providers such as AT&T and IBM have offerings that cobble pieces to-gether. However, these services are targeted at managing or leasing SIEM infrastructure.

A full service SIEM should offer the following:

n Zero (or negligible) investments in on-premises hardware and software

n Quick to deploy—just forward logs from your existing infrastructure

n SOC coverage, 24/7n Packaged common use cases and SLA

(out-of-the-box configuration)

Hopefully, the industry will come to recognize this as an issue and more importantly develop complete services for SIEM in the cloud. It’s time security solutions started taking advantage of the scalability and cost benefits real-ized by other services. n

n Security level and posture of the vendorn Limits of liabilities (customer data compromise)n Governance, risk and compliance require-

ments (consider companies that comply with EU regulations)

n Compliance with privacy policy (user and corporate data leaving the premise)

There’s help out there for a lot of these issues. Compa-nies such as Skyhigh Networks offer cloud security soft-ware to help organizations efficiently assess the security level and posture of cloud services. This enables organiza-tions to quantify the risk of cloud services with hard data to back up their assessments. CISOs can then make an in-formed decision about whether to engage with the cloud vendor based on these merits.

The SIEM field is crowded and contains a mash of providers from traditional players—RSA enVision, HP ArcSight, McAfee and Splunk—to innovative log man-agement companies, such as Sumo Logic. Each offering has strong as well as weak points. However, no one has


EDITOR’S DESK





SECURITY 7 | MANUFACTURING

Secrets of Outliers: Privileged Users and Patterns of DeceptionSecurity professionals should analyze metrics to learn baseline behavioral patterns of their employees and identify anomalous behaviors. BY TIMOTHY ROGERS

ARKETING FOLKS HAVE long identified the promise of big data and an-alytics, looking for competitive advantages and insights into cus-tomer behaviors. Internet users help build these metrics by “liking” this or that, or unknowingly indicating preferences through their daily Web activities. Similar metrics surround those of us in the in-

formation technology profession: This data can be mined to help protect our companies.The methodology of using the metaphorical electronic battering ram to break through

a company’s hard exterior is gone, but not forgotten. Most security teams now understand how to protect against these attacks. Security professionals are even getting more talented in spotting those pesky APTs that parachute into our companies and open up the unwanted outbound conduit. When advanced persistent threats execute and communicate back to the command center, those actions take on the same characteristics as insider threats.

Today’s security organizations collect logs, utilize security information and event man-agement (SIEM) correlation engines, participate in crowdsourcing, and purchase security in-telligence services. All of these sources are effective and even beneficial independently, but they struggle to help identify insiders who have appropriate access and are abusing it.

TIMOTHY ROGERSGroup Manager, IT Security, United Technologies Corporation

n Has worked at United Technologies Corp. since 2005, developing task forces to target IT security threats.

n Increased focus on insider threats at UTC. Discovered that employees begin to ex- filtrate data as much as 60 days in advance of giving their notice.

n Credentials and affiliations: EC-Council’s Certified Chief Information Officer, ISACA Certi- fied Information Security Manager, High Tech Crime Investigation Association, member of CT Infraguard, Information Systems Security Association

M

http://searchsecurity.techtarget.com/magazineContent/Big-data-security-analytics-Harnessing-new-tools-for-better-security

http://searchsecurity.techtarget.com/news/2240179082/RSA-2013-FBI-offers-lessons-learned-on-insider-threat-detection


EDITOR’S DESK






Among the questions we should consider are how and why these individuals became threats. The ‘why’ may be as simple as monetary gain, a disgruntled employee, or someone who mistakenly feels that the data is their property; whereas others encompass complicated scenar-ios such as social engineering attacks, or an infected com-puter in which the user is unaware they are a threat.

In order to combat insidious insider threats, security professionals should begin to examine user metrics to learn more about the baseline behavioral patterns of their employees and more importantly identify anomalous be-haviors. These metrics may not be the ones that tradi-tional SIEM systems gather or even consider.

Organizations often wonder how to collect user met-rics, and what to do with that information once they have it. Consider the value of certain metrics, such as daily system logon/logoff, average size of email transmissions, number of emails sent (and received), with whom users communicate, the frequency and tone of those communi-cations, Internet usage, and data transfers. Network and

endpoint data loss prevention systems provide a number of metrics that should not be overlooked. Identity man-agement systems add to the mix and help us compare an employee’s historical usage patterns and that of their

peers. Consider adding user financial data (travel expense reports, credit cards, purchase cards and the like) and travel itineraries to help build a profile of each employee.

Many organizations gather this type of data, but I ques-tion if we apply the right type of analysis to it. Utilizing analytics, we can start to compare individual’s histori-cal patterns, peer groups, departments and organizations. Such comparisons show usage patterns that will normalize over time, and make it much easier to see the needle in a

OUTSIDE OF WORK

Apple or Android? Apple. Android scared me.Plan B: Great burger bar (I like peanut butter on my hamburger).Security hero? Many historical people for their contributions and the fresher minds of our time—Greg Hoglund is one of them. Things people don’t know about you: My passion for the Red Sox is second only to the love I have for my family.What keeps you up at night? Not knowing. With so many threats and attack vectors, we don’t know what we don’t know. n

Among the questions we should consider are how and why these individuals became threats.


EDITOR’S DESK






but they certainly provide insights that require follow up.We all have times when we are not at our best and

perform actions that certainly could be a false positive in the analytical world. How many of us today see this with our fellow coworkers or employees? Putting some analysis behind our metrics, comparing users’ actions to their norm or the norms of their work environment pro-vide substantial insight into threats below the radar. Data analytics provide security organizations with an intelli-gent tool that provides deeper and clearer insight to help search out and destroy dangerous insider threats. n

stack of anomalies that squeak by our faithful SIEMs. Insider threats normally have all the permissions

needed to copy, print, move, email and utilize company data in order to perform their everyday work. So how do we notice when threats are valid and not just false posi-tives? Humans tend to be creatures of habit. Therefore, when we apply thoughtful analytics to our user metrics, we can see that Bob is printing a lot of documents that he normally doesn’t access, or Alice just copied the whole network share to a removable drive. These actions alone do not necessarily mean there is a threat to the company,

http://searchsecurity.techtarget.com/guide/Practical-strategies-to-mitigate-insider-threats


EDITOR’S DESK





SECURITY 7 | EDUCATION

From ABCs to BYODWhy I arm kindergarteners with the same technology as the Fortune 500. BY PHILIP SCRIVANO

S CHIEF TECHNOLOGY officer of Las Virgenes Unified School District (LVUSD) in Los Angeles County, I keep up on IT trends across indus-tries. Over the past year, I’ve seen many articles debating the benefits and risks of enabling bring your own device (BYOD) in the enterprise. It may come as a surprise, but for my school district this debate is old news.

Today the district provides wireless connectivity across our 17 public schools, enabling every student and teacher, from kindergarten up, to use personal devices in the classroom. (This BYOD program is distinct from the Apple iPad rollout in the Los Angeles Unified School District.) By welcoming these devices, we’ve been able to adopt a technology-rich curriculum aimed at giving our students the skills to succeed in today’s world and beyond. Along the way, we addressed the same security concerns that plague organizations across all industries, as well as some that are specific to education.

CIOs contemplating BYOD programs can identify with many of the challenges we faced, including how to enable our 11,500 K-12 students and 650 teachers to bring a variety of mo-bile devices to school and get a quality, secure connection. It’s a scale similar to that of many Fortune 500 companies, and we had to rebuild our network infrastructure to make sure

PHILIP SCRIVANOChief Technology Officer, Las Virgenes Unified School District

n Former management analyst for California’s Fiscal Crisis and Man- agement Assistance Team, evaluating technology directors throughout the state; conducted studies for seven county offices of education, 54 school districts and two junior colleges.

n Lead forensic tech-nology investigations at more than 40 schools across the state.

n Early supporter of technology in the classroom, using the Apple IIe in his sixth grade classes.

A

http://www.lvusd.org/

http://www.latimes.com/local/lanow/la-me-ln-ipad-rollout-extended-20131015,0,4838261.story

http://searchsecurity.techtarget.com/answer/How-acceptable-use-agreements-can-combat-BYOD-security-issues


EDITOR’S DESK






it was up to the task. We reconfigured the firewall, all VLANs, access control lists, server infrastructure, and re-placed every network switch in the district with a Layer 3 Gigabit Ethernet device. This all had to be accomplished before building a Wi-Fi infrastructure.

Teachers also had to have confidence in the network before they would buy into using personal devices in their classrooms. In the words of one teacher: “I’m not going to make a lesson plan that depends on technology unless it’s reliable.” When a single day of teaching costs our district $400,000 and when thousands of our students now take nationalized testing online, a robust network is a very sound investment.

We needed strong security controls, but we couldn’t afford to hire additional IT staff to police our students and their devices. This meant we needed a policy engine that would automatically identify every user connecting to the network, whether a student, teacher, administrator or guest, and give them access to appropriate resources for their user type—but nothing else. The policy engine

also had to identify every device, associate it with the user and ensure that it was free of malware before allowing it on the network. Ultimately we selected a network access control (NAC) system from Bradford Networks to pro-vide these capabilities. We also use an Internet content filter from Nomadix, and only credentialed LVUSD staff can decide which sites are allowed.

For district-owned devices, we are deploying AirWatch mobile device management. We use WPA2, 801.2x, and Microsoft Active Directory combined with our NAC system to onboard all devices. This ensures that security is applied to every device connection, and that the user is placed on the appropriate VLAN and security profile.

We also designed a simple on-boarding process suit-able for the entire LVUSD community. All students are allowed to bring up to four devices to school—even kindergartners. Students register their devices once a year, which they can do from home so parents can help younger students.

OUTSIDE OF WORK

Plan B: Always! I am a change agent and life-long learner. When my work is done, I move on to the next exciting challenge. Security hero? Kenneth S. Rosenblatt, author of High-Technology Crime: Investigating Cases Involving Computers.Things people don’t know about you: I like to read more than watch television, and I have found 900 geocaches.How you unwind: I ride my Yamaha FZ1 and crew foredeck on ocean-racing sailboats.What keeps you up at night? My four children. n

http://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforce


EDITOR’S DESK






the teacher’s lectures on his iPad. Another is the social studies teacher whose students fact-check her in real time, and get extra points if they find a mistake. Still an-other is the fourth grade class where students blog about what they learn, and parents respond with comments—

and guess what the dinner conversation is about that eve-ning? These are just snapshots of how our BYOD program is changing the way our students learn every day.

I believe that by integrating technology into the cur-riculum, we’ll be able to demonstrate that we have the brightest students in the world here in the United States. BYOD is at the heart of it, and even on a scale like ours, the security concerns are manageable without additional staff. The result is a new learning environment to prepare our students for the challenges and opportunities that await them. n

Now, whenever Julie Smith turns on her Windows, iOS or Android device; our NAC system knows that it be-longs to Julie Smith in group Student and Sixth Grade; verifies that her device is safe and gives Julie instant ac-cess to grade-appropriate resources. If the device is com-promised, it’s quarantined until she updates her software using a link provided. Julie’s user group, the resources her group can access, and the security requirements for her devices are all defined using the security policy engine, and then enforced automatically.

We can also detect inappropriate or dangerous activity and take immediate action. For example, if the content filter detects cyberbullying or threats, the soft-ware can identify the owner of the device, take the de-vice off the network, and alert the principal in real time. We know that parents want a safe school environment for their children, and we take that responsibility very seriously.

Our school district now has a rich new environment where students, parents, and teachers are much more en-gaged in the learning process. One example that comes to mind: the student from Iraq whose grades have gone from Cs to As because he can simultaneously translate

We can also detect inappropriate or dangerous activity and take immediate action.


EDITOR’S DESK





SECURITY 7 | GOVERNMENT

Secure All the ThingsDespite the promise of the Internet of Things, history will repeat itself unless we take action. BY ANGELA OREBAUGH

E ARE ON the brink of a disruption of the Internet as we know it. This next evolution of the Internet combines smart devices, cloud, and big data analytics that will change our lives forever. Okay, maybe that’s just the hype talking, but we are starting to see a number of innovative products that are providing more

knowledge and convenience in our everyday lives. Many of you have probably heard of the new era as the “Internet of Things,” “Internet of

Everything” or the less glamorous “cyber physical systems.” The concept is that “things” can be connected, monitored, and managed via small efficient processors to provide beneficial data and interaction with the physical world.

The Internet of Things is essentially a gateway between the digital world and the physical world. Some examples include smart thermostats, vehicles, smart meters, health and activity monitors, and implantable medical devices. The devices interact using a variety of methods including RFID, Bluetooth, Wi-Fi, Z-Wave and ZigBee. Both startups and large, established companies are creating new consumer smart devices and cyber-enabling physical systems in manufacturing, transportation and health care. Many reports have estimated several billion

ANGELA OREBAUGHFellow, Booz Allen Hamilton

n Leader in advancing continuous monitoring and security automa- tion standards through NIST guidance (SP800-137) used across the Federal government and industry.

n Co-author and technical contrib- utor to many NIST special publications including SP800-137, SP800-126, SP800-115, SP800-113, SP800-94, SP800-92 and SP800-77. Helped NIST write the voluntary security guidelines used by makers of electronic voting systems.

n Heads team of analysts who develop vulnerability content for the National Vulnerability Database.

W

http://whatis.techtarget.com/definition/Internet-of-Things

http://www.computerweekly.com/ezine/Computer-Weekly/Business-value-from-the-internet-of-things

http://www.arm.com/files/pdf/EIU_Internet_Business_Index_WEB.PDF


EDITOR’S DESK






of these devices by 2015. The power of the Internet of Things is in its ability to

combine information from various devices and systems in novel ways to provide unprecedented insights and conve-nience. Synthesizing data from various sensors and sys-tems is what makes Internet of Things a force for major change in that it may help us solve some of the biggest problems facing society, from minimizing power outages to easing traffic congestion. Ah, the power of synergy!

Despite the promise of the Internet of Things, when it comes to security, I am seeing history repeat itself. As a longtime security technologist, I’ve seen the evolution of once secure technology become connected to the In-ternet, and targets for attackers—first mainframes, then servers, desktops, VoIP and mobile devices. Next in line is the Internet of Things.

Several attacks have already occurred on these types of devices. Parents heard a strange voice talking to their baby in her room and discovered that an attacker had remotely connected to the unsecured camera on their

Foscam baby monitor. The security of Internet of Things was front and center at this year’s Black Hat conference with successful demonstrations of hacking a smart-lock, a smart TV and a car. The number of these devices con-nected to the Internet is growing, thus increasing pos-sible attack vectors every day. The potential for an influx of devices increases the risk that the Internet of Things could distribute attacks far more widely than we have seen in other applications. These devices become the easy low hanging fruit for a wide range of attackers.

Since the Internet of Things is still in the emerging phase, ensuring security and privacy is an important is-sue that must be addressed and resolved now. As security practitioners we are at a critical place to make a differ-ence in the evolution of Internet of Things. We can be the evangelists for security-aware technologies and products in several ways:

n Implementer: If you are installing devices in your orga-nization, incorporate the Internet of Things into your

OUTSIDE OF WORK

Apple or Android? ApplePlan B: Professional conservationistSecurity hero? Dorothy DenningThings people don’t know about you: Art major in college, member of Charlottesville Derby DamesHow you unwind: Meditation and roller derby, but not at the same time.What keeps you up at night? Typically, only my dog during a thunderstorm. n

http://searchsecurity.techtarget.com/news/2240202965/Black-Hat-2013-opens-with-testy-keynote-smart-device-hacks


EDITOR’S DESK






n Consumer: If you are an end consumer of devices, make sure you are purchasing devices with built in security, and let companies whose products lack security know why you haven’t purchased their products. Most impor-tantly, secure the devices you are purchasing. Change the default passwords and enable the security features. At a minimum, smart devices should include the ability for a strong password and encryption.

Let’s work together to get ahead and ensure security is built into products so that when our lives do change for-ever, we can rest assured that all things are secure. n

security policies and work with vendors to evaluate and improve their security features.

n Developer: If your product fits this category, take the necessary steps to ensure security is being built in using techniques such as secure development methods, secure operating systems and hardware security.

n Securer: If you work for a security company, start mak-ing strides in developing new approaches to Internet of Things threat monitoring and ways to detect and reme-diate attacks.


EDITOR’S DESK





SECURITY 7 | RETAIL

S I TRAVEL to industry events and talk with peers about network security, the biggest issue I see is that bright, shiny security tools with the latest bells and whistles mesmerize people. Too many companies deploy these tools without analyzing how the technology will be used or integrated with their security management structure. Collectively, network security

teams need to put a stop to this mindset; they must slow down, take a look at the network and focus on solving the problems at hand.

First, let’s look at the security incident process. How many incidents can you recall where the post-mortem review contained items, such as install or update the antimalware soft-ware; patch the OS, application or hardware; update switch and firewall rules; change access control lists or implement some local device configuration? If your post-mortem meetings are anything like mine, then you are looking at security best practices for corrective actions. How can we leverage a “back-to-basics” approach with the goal to increase the security pos-ture of our network infrastructure?

One of the key security best practices is making sure preemptive or corrective actions are taken. Take a step back and make sure you have visibility into all the devices on your

Get Back to Basics for Improved Network SecurityIf your post-mortem meetings are anything like mine, forget the bells and whistles and revisit fundamental security practices.BY NICK DUDA

NICK DUDAPrincipal Information Security Engineer, Vistaprint

n Developed and implemented an automated IT security system for Vistaprint’s distributed network supporting 4,500 employees, 25 localized websites and a Web portal that ships products to 130 countries.

n Mentors and offers advice to others on the technologies he’s deployed including ForeScout CounterACT, Sophos SafeGuard and Thycotic Secret Server. Designed ForeScout CounterACT Cacti host template.

n Credentials and affiliations: Compliance and Regulations PCI DSS (level 1), MA CMR 17.0, ForeScout Certified Engineer

A

http://searchsecurity.techtarget.com/feature/Hunting-for-rogue-wireless-devices


EDITOR’S DESK





SECURITY 7 | RETAIL

network. Everything connected to the network should be identified and properly categorized. The best way to do this is to use several data points to identify the device. While a MAC or IP address is a good place to start, they are easily impersonated and spoofed, thus opening the network up to potential hacks. Using several criteria to identify a device will help to eliminate this risk.

I’ve conducted many security post-mortems, and more often than not, there are one or more issues re-lated to software or hardware missing a patch, not run-ning the latest secure version or with a misconfiguration. Once you have visibility, you can put preemptive steps in place, such as alerting the help desk if a system has out-dated antivirus protection or is running an older operat-ing system. The help desk staff can then work to ensure that corrective actions are taken, or if you have a network management system in place, you can automate correc-tive actions.

Compliance and auditing tools are another area to leverage. To deal with the growing smorgasbord of

compliance and government mandates, many enterprises have mapped tools and controls across industry and regu-latory compliance frameworks to more efficiently in-stitute governance, risk and compliance security best practices. These tools often include comprehensive infor-mation and a set of controls that provide insight across your IT environment.

Finally, get all the teams within the larger IT opera-tions group collaborating with each other. The network team often has information regarding how and where de-vices are connecting to the network. The help desk team can be a crucial ally in making sure all assets are identi-fied, properly upgraded and patched. The risk and com-pliance group often has tools that validate the compliance status of devices before they are granted network access and offer methods for remediation or quarantining. Not only does this cross team collaboration increase the ROI on all security implementations and related tools, it leads to better data, more accurate processes and, overall, a more secure enterprise. n

OUTSIDE OF WORK

Plan B: To be a Marine.Security hero? Ed Skoudis. Most of my security training was issued by Ed. Things people don’t know about you: Own every issue of The Amazing Spider-Man from 1962 to present, regular at the annual Burning Man festival.Six degrees of separation: Gabrielle Carteris (Andrea from Beverly Hills 90210) is my wife’s second cousin.What keeps you up at night? Zero-day vulnerabilities. n

http://searchsecurity.techtarget.com/answer/Patch-management-techniques

http://searchsecurity.techtarget.com/tip/IT-GRC-Combining-disciplines-for-better-enterprise-security

http://searchsecurity.techtarget.com/magazineContent/Mix-of-Frameworks-and-GRC-Satisfy-Compliance-Overlaps

http://www.sans.org/instructors/ed-skoudis


EDITOR’S DESK






THE NEXT (FRONT) TIER IN SECURITY When conventional security falls short, breach detection systems and other tier 2 technologies can bolster your network’s defenses.

THREAT DETECTION HAS moved beyond signature-based fire-walls and intrusion detection systems to include newer technologies that monitor content and communications. These tier 2 technologies are not included in security budgets, however, for many reasons. The primary one: These newer systems and services—security intelligence, threat forecasting and modeling, breach detection sys-tems, forensics—do not fit into security strategies due to a myopic focus on conventional best practices or outdated regulatory compliance.

Security at the highest level can be broken down to people, process and technology. The people and pro-cess requirements are going to be different depending on company revenue, industry vertical and geographic loca-tion. However, security technology, and threat detection, for the most part, has remained relatively consistent and static across most industry verticals with the inclusion of tier 1 security technologies. These technologies are con-sidered the foundation of security best practices: fire-walls, antivirus, intrusion detection/prevention systems, secure Web gateways, messaging security, VPNs and

By John Pirc


EDITOR’S DESK






carefully look at its filter set, you’ll find that the majority of its zero-day filters are disabled by default. It’s a great marketing spin to have zero-day coverage, but if it’s not turned on by default, how is that helping you stay ahead of the threat and reducing your risk?

Most tier 1 security technologies protect you against known threats. A great example of this is Microsoft. The Windows behemoth releases security patches in the sec-ond week of every month on Microsoft “Patch Tuesday.” The great thing about Microsoft is that it collaborates with security vendors that are members of its Microsoft Active Protections Program. These vendors receive the vulnerability information shortly before it’s released to the public. This gives the vendors time to create filters and signatures to identify a known vulnerability.

The issue, however, is the ability to identify unknown

security information and event management. Tier 1 security technologies are fundamental to any se-

curity architecture, but we have been using them for 20 years—and antivirus for almost 30 years. It’s time to start adapting and embracing new technologies. (And what I mean by new technologies is not a known technology with “next generation” in front of the product category.)

Frankly, we need “now-generation” technologies, and these network security appliances and services fall into tier 2. (The concepts of tier 1 and tier 2 security technolo-gies were introduced in Blackhatonomics, a book I coau-thored with Will Gragido, Daniel Molina and Nick Selby). These concepts illustrate a distinct paradigm shift within the security industry and, at the same time, address a fun-damental misconception in security best practices.

WHY ENHANCED THREAT DETECTION MATTERSThe threat landscape is dynamic and consistently adapt-ing to new methods of exploitation. One of the largest gaps with tier 1 security technologies is their inability to stop unknown malware, or even notify you when you have been successfully breached.

The common misconception of tier 1 security tech-nologies is that the appliances and software claim cover-age for malware, but the level of depth in coverage can be questionable depending on the security vendor. One se-curity vendor, that will remain unnamed, claims zero-day coverage for hundreds of unknown vulnerabilities. If you

Tier 1 security technologies are fundamental to any se curity architecture, but we have been using them for 20 years—and antivirus for almost 30 years. It’s time to start adapting and embracing new technologies.

http://searchsecurity.techtarget.com/definition/Patch-Tuesday

http://www.microsoft.com/security/msrc/collaboration/mapp.aspx

http://www.microsoft.com/security/msrc/collaboration/mapp.aspx

http://www.andrewhay.ca/archives/2230


EDITOR’S DESK






Filling the gaps with tier 2 security technologies, like breach detection systems, is an excellent way to re-duce your risk against the unknown. The key capability of BDS is that it is attack surface aware. BDS can detect the initial drop of a malicious file or the command and

control communication of an unknown piece of malware. These systems are deployed at the network perimeter as a network appliance or as software that is loaded on an end-point asset. They leverage multiple identification vectors such as IP address and domain reputation data, pattern matching, heuristics, flow monitoring, browser emulation, and operating system behavioral analysis at the network layer or host. Figure 1 (on the next page) illustrates the results of a vendor in our BDS testing earlier this year. It conveys the product’s ability to identify two aspects of successful malware delivery through HTTP.

malicious content in transit or on the asset being tar-geted. The next step is to determine if the attack was successful. Most tier 1 security technologies fall short in providing these much needed capabilities.

Some tier 1 security devices such as intrusion preven-tion systems lack the ability to keep the state of a trans-action, because they are performing multiple operations to validate if the data flowing through the IPS matches a particular filter/signature or pattern. Furthermore, some systems lack the ability to parse compound documents such as PDFs or Word documents that contain malware. Understanding and knowing about weaknesses contained in the products that are defending your corporate infra-structure will hopefully make you re-think your security strategy.

BEFORE ENEMY THREATS BECOME REALThe key goal to any security strategy is reducing your overall risk. It’s important to understand that there is no silver bullet in mitigating 100% of all threats. The Chi-nese military classic, The Art of War, is commonly quoted within the security community: “If you know your en-emies and know yourself, you will not be imperiled in a hundred battles…” We know the enemies well and their methods for evading detection. The know yourself part is somewhat lost in translation; most of us are focused on adding security countermeasures, which are not cookie cutter for every corporate infrastructure.

The issue, however, is the ability to identify unknown malicious content in transit or on the asset being tar geted. The next step is to determine if the attack was successful.

http://searchsecurity.techtarget.com/tip/Top-five-free-enterprise-network-intrusion-detection-tools

http://searchsecurity.techtarget.com/tip/Top-five-free-enterprise-network-intrusion-detection-tools


EDITOR’S DESK






additional security to close the gaps left open by other se-curity technologies.

However, defense in-depth is somewhat played out. Think of it as “confidence in-depth” utilizing now-gener-ation technology (instead of “next-generation” products and services). My advice is that you start planning for the inclusion of enhanced threat detection offered by tier 2

It’s important to understand there’s always going to be a patient zero (first infected asset) with any piece of un-known malware. BDS allows you to identify the patient zero along with the corresponding intelligence to remedi-ate other assets on your infrastructure that were infected by the initial detection of malware. This is absolutely a common defense in-depth approach, essentially layering

[ FIGURE 1]

HTTP Malware Detection Over Time (min.)

Perc

ent D

etec

ted


EDITOR’S DESK






complimentary to existing security infrastructure. While adopting tier 2 security technologies within your exist-ing security infrastructure is a solid approach to counter-ing persistent and unknown threats, the cost is not trivial. These types of capital expenditure procurements need to be planned well in advance of the company’s fiscal year budget cycle.

JOHN PIRC is the research vice president at NSS Labs. A security intelligence and cybercrime expert, Pirc is the co-author of two books, Blackhatonomics: An Inside Look at the Economics of Cybercrime and Cyber Crime and Espionage. Prior to his role at NSS Labs, Pirc was the director of Security Intelligence at HP Enterprise Security Products, where he led the strategy for next generation security products. Follow him @jopirc.

security technologies in your budget cycle. Start by doing a proof of concept and testing some tier 2 systems within your infrastructure.

The threat detection technology, maturity and scal-ability of these systems will vary by vendor. Some areas to consider are whether the system requires network or endpoint deployments, or some combination. If it uses sandboxing, is the data sent to the cloud, and if so, can that functionality be turned off? Is the system able to de-tect pre-existing breaches as well as malware introduced through side channels? Even if a vendor makes these claims, it’s important to verify that the technology works as advertised.

At NSS Labs, we have thoroughly tested this tech-nology and believe it offers a solid addition that is

https://twitter.com/jopirc


EDITOR’S DESK





DATA DUMP

Enterprise Security by the NumbersIn the year of APT1 and Eric Snowden, what’s happening inside some organizations is alarming from a security standpoint.

Enable encryption enforcement (when not automatically enabled)

Configure email account

Require a specific app

Allow explicit content

Allow cloud document backup

Allow sync while roaming

Enforce an application restriction (blacklisting)

Allow YouTube

Allow non-market apps

Configure Web clips & shortcuts

DATA FROM TWO MILLION DEVICES WORLDWIDE; SOURCE: FIBERLINK

MOBILE DEVICE POLICIES A BUST

n EMPLOYEE OWNED n CORPORATE OWNED

75% allow explicit content on company-

owned phones

0 20% 40% 60% 80% 100%

YES NO

TALK

RAD

IO N

EWS

SERV

ICE


EDITOR’S DESK





13+87+31+69+30+70+

DATA DUMP

DATA INTEGRITY AT WORK51% of the global enterprises surveyed do not know how many digital certificates and encryption keys they have.

n n n n n n n n n n n n n n n n n n n nn n n n n n n n n n n n n n n n n n n nn n n n n n n n n n n n n n n n n n n nn n n n n n n n n n n n n n n n n n n nn n n n n n n n n n n n n n n n n n n n

On average, every enterprise has 17,807 certificates and keys.SOURCE: PONEMON INSTITUTE (SPONSORED BY VENAFI)

FAULTY FIREWALLS

One-third of companies surveyed had five or more firewall-related outages in the last year.

The percentage of financial services companies that reported 11 or more outages in the last 12 months.

A quarter of businesses surveyed had to re-do more than 60% of all firewall changes because they weren’t implemented correctly the first time.

WHAT DO WINDOWS 8 AND WINDOWS XP HAVE IN COMMON? THE AMOUNT OF MALWARE.

Windows XP end of life in 2014 could cause security headaches for companies.

Windows XP is six times as likely to be infected by malware than Windows 8.

Windows XP Service Pack 2 (no longer supported) has a 66% higher infection rate than Windows XP Service Pack 3.

Top three XP threats: Sality, Ramnit, Vobfus (family of worms)

SOURCE: MICROSOFT SECURITY INTELLIGENCE REPORT, VOLUME 15, JANUARY-JUNE 2013; ICONS: HEMERA/THINKSTOCK

SOURCE: VERACODE 2013 STATE OF SOFTWARE SECURITY REPORT (MARCH 2013)SOURCE: TUFIN TECHNOLOGIES SURVEY (500 SENIOR MANAGERS FROM COMPANIES OF 1,000 OR MORE IN U.S. AND U.K.)

SOFTWARE SECURITY FALLS SHORT The percentage of applications that failed to comply with security policies upon first submission.

Enterprise Policy

CWE SANS Top 25O

WASP Top 10

70%Out of compliance



33%

17%

60%


EDITOR’S DESK





SECURITY ECONOMICS | PETER LINDSTROM

The Risky Business of ProbabilityYou are better off with real numbers when it comes to measuring probability and the elements of security risk, even if they are wrong. BY PETER LINDSTROM

AS MOST OF us know, return on security investment is basically, the amount of risk reduced, less the amount spent, divided by the amount spent on con-trols. Net amount of risk per amount

of control is the essential formula for any “return on” ra-tio—return on investment, equity, assets and so on. (It isn’t like this stuff is just made up; there’s history and an interest in consistency here.)

The challenge for technology risk management pro-fessionals is really a gut check: Are we really, truly reduc-ing risk by the amount we are spending on security? As I noted in my November column, first, realize that you are making that assertion every time you allocate resources to some function. So take a step back and verify that the costs of your recent actions—salaries, operating expenses,

capital investments—meet these criteria.But breakeven is never good enough, and we really

haven’t gotten to the bottom of the individual values of probability and impact (the elements of risk). It’s useful—perhaps even crucial—to have an objective understanding of these values; especially, because risk can generate a lot of emotions.

REAL PROBABILITY NUMBERSThe first thing to recognize when you are trying to pre-dict the future of “badness” involving intelligent adversar-ies is that there is no way to perform these measurements with precision; so you should opt for accuracy. You are better off identifying “confidence intervals” that bound the upper and lower likelihoods as tightly as possible. The tighter the range, the more you can call yourself an

http://searchsecurity.techtarget.com/opinion/Break-even-analysis-The-highs-and-lows-of-risk-and-ROSI


EDITOR’S DESK






crazy people (like me) may want to select a population of event actions.

A smart way to deal with the difficulty of identifying pertinent populations is to use frequencies instead; sim-ply estimate the number of unwanted outcomes per time period. This nifty little trick was introduced to technol-ogy risk management professionals in the Fair model. Predicted frequencies of attack, or compromised assets, focus on your specific organizational entity and are gener-ally easier for people to work with. The downside comes when you are trying to normalize across organizations or getting more granular in actually addressing the risks by applying controls. (Hint: beware of the base rate fallacy.)

BOTTOM LINE IMPACTAfter determining the probability (or frequency), you then need to figure out how to measure impact. These measurements can develop through revealed preferences, but many folks believe you can’t measure the impact on brand or reputation—or being on the proverbial front page of the Wall Street Journal. The truth is, this kind of concern is often more reflective of embarrassment or reputation of senior executives than it is an impact to the organization.

To the extent I’m wrong in this assertion (got a rise out of you, didn’t I?), then you must agree that for eco-nomic entities like the organizations we protect, the only reason brand or reputation should matter is if it increases

“expert,” that is if it plays out in your favor.It’s common for organizations to use scales like “very

low to very high” or 0-5 (you do include zero, right?) to create these intervals. You are better off with real num-bers, even if they are wrong. Research has shown that there tend to be broad ranges and gaps in places when

people try to interpret scales. Nowadays, it’s not too dif-ficult to find numbers to use as your guide in coming up with probability—internal metrics, published data re-ports, surveys, and so on.

One challenge with probability estimates is, how to determine what the population should be (that’s the de-nominator). This can be as simple as the organization overall—three out of every 10 companies in the popula-tion. But more likely, the probability is based on percent of assets—users, systems, applications—expected to be compromised over a defined period of time. Completely

A smart way to deal with the difficulty of identifying pertinent populations is to use frequencies instead; sim ply estimate the number of unwanted outcomes per time period.

http://fairmodel.econ.yale.edu/


EDITOR’S DESK






As you consider your estimated risk for individual projects, remember that the probability x impact that you are addressing must be greater than the amount you are spending on it. With a proper understanding and use of confidence intervals and estimates, you can do a better job of getting to that ever-elusive return on security in-vestment. n

PETER LINDSTROM is principal and vice president of research for Spire Security. He has held similar positions at Burton Group and Hurwitz Group. Lindstrom has also worked as a security architect for Wyeth Pharmaceuticals and as an IT auditor for Coopers and Lybrand and GMAC Mortgage. Contact him via email at [email protected], on Twitter @SpireSec, or on his website, spiresecurity.com.

our short- or long-term costs, or decreases our revenue. And there’s the rub, all estimates of impact can—and should—be translated into financial terms. I slyly added that “short and long term” qualifier, because often it’s easier to assess the short term impact prospects of an in-cident than the longer term ones.

The technology risk management field has good data to start with on the costs associated with response and re-covery from breaches. The Ponemon Institute’s U.S. Cost of a Data Breach Study comes to mind, but there are a few others as well. The best part is these reports give us some notion of the categories to consider when estimat-ing losses. Just stay away from any sort of “per record” cost as most costs and losses are fixed and don’t vary with record numbers.

mailto:PeteLind%40spiresecurity.com?subject=

mailto:PeteLind%40spiresecurity.com?subject=

https://twitter.com/SpireSec

http://spiresecurity.com/

https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf

https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf


EDITOR’S DESK





TechTarget Security Media Group

TechTarget 275 Grove Street, Newton, MA 02466www.techtarget.com

EDITORIAL DIRECTOR Robert Richardson

FEATURES EDITOR Kathleen Richards

SENIOR MANAGING EDITOR Kara Gattine

SENIOR SITE EDITOR Eric Parizo

ASSOCIATE EDITOR Brandan Belvins

DIRECTOR OF ONLINE DESIGN Linda Koury

GRAPHIC DESIGNER Neva Maniscalco

COLUMNISTS Marcus Ranum, Gary McGraw, Doug Jacobson, Julie A. Rursch, Matthew Todd, Peter Lindstrom

CONTRIBUTING EDITORS Michael Cobb, Scott Crawford, Peter Giannoulis, Ernest N. Hayden, Jennifer Jabbusch Minella, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Anand Sastry, Dave Shackleford, Joel Snyder, Lenny Zeltser

USER ADVISORY BOARD

Phil Agcaoili, Cox CommunicationsRichard Bejtlich, MandiantSeth Bromberger, Energy Sector ConsortiumMike Chapple, Notre DameBrian Engle, Health and Human Services Commission, TexasMike Hamilton, City of SeattleChris Ipsen, State of NevadaNick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, EquifaxMatthew Todd, Financial EnginesMacDonnell Ulsch, ZeroPoint Risk Research

VICE PRESIDENT/GROUP PUBLISHER Doug [email protected]

© 2013 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written permission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER IMAGE AND PAGE 4: FOTOLIA

http://reprints.ygsgroup.com/m/techtarget

december 2013 information vol. 15 | no. 10...

Documents